Security

VTech hack fallout: What is a kid's privacy worth? About 22 cents – FTC

Toymaker coughs up $650k after three million youngsters have info swiped

By Shaun Nichols in San Francisco

11 SHARE

The US Federal Trade Commission (FTC) today agreed to a settlement deal with a children's electronic toymaker it had accused of collecting kids' personal information and then failing to properly secure that data.

The government watchdog said VTech will pay $650,000 and agree to a set of privacy and security requirements in order to settle charges it violated both the Children's Online Privacy Protection Act (COPPA) and the FTC Act.

The settlement deal puts to bed allegations by the FTC that VTech broke the law with its operation of its Learning Lodge, Kid Connect, and Planet VTech games and educational websites for kids. Specifically, that the company did not properly secure the information on millions of children and parents prior to the 2015 hack of its services and theft of customer data.

The breached Learning Lodge and Kid Connect services were said to have hosted around 2.25 million accounts that contained information on roughly three million kids. The accounts had things like the child's name, date of birth, and gender as well as the parent's name, physical address, email address, and security question answers.

VTech was accused of failing to properly encrypt that information (a violation of COPPA) and lying to parents about the extent of data collection and level of security it used (a violation of the FTC Act).

"As connected toys become increasingly popular, it’s more important than ever that companies let parents know how their kids’ data is collected and used and that they take reasonable steps to secure that data," said FTC chairwoman Maureen Ohlhausen.

"Unfortunately, VTech fell short in both of these areas."

The FTC and the US Department of Justice officially filed the complaint [PDF] against VTech Monday morning, at the same time it announced the settlement deal [PDF]. Under the agreement, VTech will not have to admit or deny any wrongdoing.

The toymaker will be required to cut the FTC a $650,000 check – about 22 cents per affected child – to settle the case. VTech will also agree to a stricter set of compliance requirements, including regular third-party security audits to check whether it is properly storing and encrypting its collected information, and to make sure it is getting express consent from parents before it collects and personal information. ®

Sign up to our NewsletterGet IT in your inbox daily

11 Comments

More from The Register

IoT shouters Chirp get themselves added to Microsoft Azure IoT

Now your devices can join you in bellowing at Redmond's products

Bad news, mobile operators: Unlicensed IoT tech rocketing ahead of NB-IoT and LTE-M – report

Plus global mobe mobs name Sigfox top IoT tech lag

When uploading comments to the FCC, you can now include malware

And this is the agency that wants to regulate the internet

Uber sued by Uber for tarnishing the good name of Uber

Can't we all just be Uber-alles?

France next up behind Britain, Netherlands to pummel Uber with €400k fine over 2016 breach

Dara and pals told to hand over yet another cash wodge for hack it spent $100k covering up

Uber fined £385k by ICO for THAT hack of 57m customers' deets

Updated 2.7 million Brits caught up in 'serious failure of data security' says UK data watchdog

ISO blocks NSA's latest IoT encryption systems amid murky tales of backdoors and bullying

Experts complain of shoddy tech specs and personal attacks

Uber 'does not exist any more' says Turkish president

Authorities start rounding up ride share drivers, passengers

Sidecar drags itself out the grave, sues Uber for putting it there

Cab hailing app accuses rival of predatory prices and fake bookings

Until now, if Canadian Uber drivers wanted to battle the tech giant, they had to do it in the Netherlands – for real

Yes, taxi app biz has managed the impossible – angering the good folks of Canada